Upload
oensel-akin
View
3.480
Download
5
Embed Size (px)
DESCRIPTION
Prepared with the great information that can be found at http://www.troyhunt.com/2011/12/free-ebook-owasp-top-10-for-net.html
Citation preview
OWASP & ASP.NET
OWASP TOP 10
• Injection• Cross-Site Scripting (XSS)• Broken Authentication & Session Management• Insecure Direct Object References• Cross-Site Request Forgery• Security Misconfiguration• Insecure Cryptographic Storage• Failure to Restrict Url Access• Insufficient Transport Layer Protection• Unvalidated Redirects and Forwards
Injection
• SQL, OS, LDAP injection occur when untrusted data is sent to an interpreter as part of a command query
• Untrusted data:– Integrity is not verifiable– Intent may be malicious– Manual user input– Implicit user input– Constructed user input
OWASP MatrixThread Agents
Attack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability EASY
Prevalence COMMON
Detectability AVERAGE
Impact SEVERE
Anyone who can send data to system
Attacker sends simple
text-based attacks that exploit the
syntax of the interpreter.
Very prevalent particularly in legacy code, often found in SQL, LDAP queries and OS
commands, program arguments.
Can result in data loss or corruption,
lack of accountability
or denial of access.
Business value of effected
data.
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING
• Most commonly exploited vulnerability• WhiteHat Security report: 65% of sites with XSS
vulnerability• Sending data to a browser without proper
validation and escaping• Allows executing scripts in the victim’s browser– Hijack user sessions– Redirect to malicious sites
• Expose an attack vector from database
XSS MatrixThread Agents
Attack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability AVERAGE
Prevalence WIDESPREAD
Detectability EASY
Impact MODERATE
Anyone who can send untrusted
data to system
Attacker sends simple
text-based attacks that exploit the
syntax of the interpreter.
Most prevalent web application security flaw. 3
types: 1: Stored, 2: Reflected, 3: Dom Based
Attacker can execute script
in victim’s browser. Session
hijacking, inserting hostile
content, using malware etc.
Business value of effected
data.
EncodingEncoding Method Example/Pattern
HtmlEncode <a href="http://www.contoso.com">Click Here [Untrusted input]</a>
HtmlAttributeEncode <hr noshade size=[Untrusted input]>
JavaScriptEncode <script type="text/javascript">…[Untrusted input]…</script>
UrlEncode <a href="http://search.msn.com/results.aspx?q=[Untrusted-input]">Click Here!</a>
XmlEncode <xml_tag>[Untrusted input]</xml_tag>
XmlAttributeEncode <xml_tag attribute=[Untrusted input]>Some Text</xml_tag>
XSS Prevention Rule #0
• Never Insert Untrusted Data Except in Allowed Locations
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name <NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name <style>...NEVER PUT UNTRUSTED DATA HERE...</style> directly in CSS
XSS Prevention Rule #1
• HTML Escape Before Inserting Untrusted Data into HTML Element Content
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</body><div>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...</div>any other normal HTML elements
• & --> &• < --> <• > --> >• " --> "• ' --> '• / --> /
XSS Prevention Rule #2• Attribute Escape Before Inserting Untrusted Data into HTML Common
Attributes
<div attr=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...>content</div> inside UNquoted attribute <div attr='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'>content</div> inside single quoted attribute <div attr="...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">content</div> inside double quoted attribute
XSS Prevention Rule #3
• JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
<script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a quoted expression <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> inside quoted event handler
XSS Prevention Rule #4
• CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value <style>selector { property : "...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE..."; } </style> property value <span style="property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">text</style> property value
XSS Prevention Rule #5
• URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
<a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
XSS Prevention Rule #6
• Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way
• AntiXSS
BROKEN AUTHENTICATION & SESSION MANAGEMENT
Defining Broken Authentication
• Authentication and session management functions not implemented correctly
• Allow attackers to compromise passwords, keys, session tokens
Broken Authentication MatrixThread Agents
Attack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability AVERAGE
Prevalence COMMON
Detectability AVERAGE
Impact SEVERE
External attackers,
internal users trying to
steal accounts
from others
Attackers uses leaks or flaws in the
auth or session
management functions
Custom authentication and session management schemes.
Hard to find flaws.
Allow some or all
accounts to be attacked.
Business value of effected
data.
Anatomy of Broken Authentication
• Session IDs in the url– Cookieless session state
• Can still occur without IDs in the url (via executed XSS flaws)
• HttpOnly Cookies• Use ASP.NET Membership & Role Providers
Session Fixation
• Do not accept session identifiers from GET / POST variables• Use identity confirmation• Store session identifiers in cookies• Regenerate SID on each request• Accept only server-generated SIDs• Logout function• Time-out old SIDs• Destroy session if Referrer is suspicious• Verify that additional information is consistent
– User Agent
INSECURE DIRECT OBJECT REFERENCE
Defining insecure direct object reference
• Data being unintentionally disclosed• Exposing a reference to an internal object, file,
directory or database key
IDOR MatrixThread Agents
Attack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability AVERAGE
Prevalence COMMON
Detectability AVERAGE
Impact SEVERE
Users of the system,
having partial access to
system data.
Simple parameter
modification
Applications use actual name or key value of an object.
Authorization is not verified.
Compromise all data that
can be referenced.
Business value of effected
data.
CROSS SITE REQUEST FORGERY
Defining Cross Site Request Forgery
• Tricking the user into inadvertently issuing an HTTP request to a site– Confused deputy problem
• Sends:– Session cookie– Authentication information
• Victim needs to be logged on
CSRF MatrixThread Agents
Attack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability AVERAGE
Prevalence COMMON
Detectability AVERAGE
Impact SEVERE
Anyone who can trick your
users submitting a request to your site
Creates forged HTTP request via image tags,
XSS
Browsers send credentials like authentication cookies
automatically, attackers can create malicious web pages
that generate forged requests.
Attackers can change any
data the victim is
allowed to change
Business value of effected
data.
CSRF Prevention
• Prevention measured that don’t work:– Using a secret cookie– Only accepting POST requests– Multi-step transactions– URL Rewriting
CSRF Prevention
• Synchronizer Token Pattern• ViewState– ViewStateUserKey = Session.SessionID
• Double submit cookies– Header– Hidden form value
• .NET CSRF Guard
INSECURE CRYPTOGRAPHIC STORAGE
Defining Insecure Cyptographic Storage
• Protection of sensitive data
Thread Agents
Attack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability DIFFICULT
Prevalence UNCOMMON
Detectability DIFFICULT
Impact SEVERE
Users of the system
Attackers don’t break the crypto. They find keys, get clear text copies of
data.
Common flaw is not encrypting data. Unsafe key generation,
storage of keys, weak algorithms.
Compromises that all data should have
been encrypted.
Business value of effected
data.
Questions
• Is the right data encrypted?• Are the keys protected?• Is the source data exposed by other
interfaces?• Is the hashing week?
Encryption, hashing, salting
• Encryption: Transforming text into an illegible format that can only be deciphered with a ‘key’
• Hashing: Creating a one way digest that cannot be converted back.
• Salting: Adding a random string to input text before hashing to add unpredictability to the process.
MD5, SHA, DES, AES
• MD5: Common, not collision resistant.• SHA: Secure Has Algorithm, most popular, not
most secure)• DES: Data Encryption Standard, insecure.• AES: Advanced Encryption Standart, common.
Symmetric / Asymmetric Encryption
• Symmetric Encryption– Uses same key to both encrypt and decrypt.– Same algorithm can be applied to reverse
encryption• Asymmetric Encryption– Different keys for encryption / decryption
Key Management
• Keep keys unique• Protect the keys• Always store keys away from data• Keys should have a defined lifecycle
Cryptographic Cheat Sheet
• Only store sensitive data you need• Only use strong crypto algorithms (AES, RSA)• Ensure that random numbers are
cryptographically strong• Only use widely accepted implementations of
cryptographic algorithms• Store the hashed and salted value of passwords• Ensure that any secret key is protected from
unauthorized access
FAILURE TO RESTRICT URL ACCESS
Defining failure to restrict url access
• Users are able to access a resource they should not because appropriate controls do not exist
Matrix
Thread Agents
Attack Vectors
Security Weakness Technical Impacts
Business Impact
Exploitability EASY
Prevalence UNCOMMON
Detectability AVERAGE
Impact MODERATE
Anyone with network
access can send the
application a request
Attacker (already
authorized), changes to
url to a privileged
page.
Misconfigured urls, improper code checks
Allows attackers to
access unauthorized functionality
Business value of effected
data.
Suggestions
• Leverage roles in preference to individual users
• Apply principal permissions– [PrincipalPermission] attribute
• Protect web services and async calls• Leverage IIS 7 Integrated pipeline• Do not roll your own security model